Firewall configuration
Digi TransPort User Guide 661
Example
The following filter rule ensures all packets from 10.1.*.* to 1.2.3.4 on the telnet port are all
routed to ETH 1.
pass in break end routeto eth 1 from 10.1.0.0/16 to 1.2.3.4 port=telnet
oosed
Used to check the out of service status of an interface. For example, including the option
oosed ppp 1 would cause the rule to match only if interface PPP 1 is out of service.
[tos]
Used to specify the Type of Service (TOS) to match. If included, the [tos] field consists of the
keyword tos followed by a decimal or hexadecimal code, identifying the TOS to match. For
example, to block any inbound packet on PPP 0 with a TOS of 0, you would use a rule such as:
block in on ppp 0 tos 0
[proto]
Used to specify a protocol to match and consists of the proto keyword followed by one of the
following protocol identifiers:
The [proto] field is also important when stateful inspection is enabled for a rule (using the
[inspect-state] field), as it describes the protocol to inspect (see [inspect-state] below).
[dnslist]
Used to match packets containing DNS names in a given dnslist. Following dnslist, there
needs to be a name of a DNS list as specified by the #dns command.
For example, consider the following DNS list:
#dns gglist www.Digi.co.*,www.*.co.nz
The following firewall rule blocks all DNS lockups to DNS names matching the above list:
block out break end on ppp 1 proto udp dnslist gglist from any to any port=dns
[ip-range]
The range of IP addresses and ports to match upon and may be specified in one of several
ways. The basic syntax is:
ip-range=“all” | “from” ip-object “to” ip-object [flags] [icmp]
where ip-object is an IP address specification. For full details of the syntax with examples, see
Specifying IP Addresses and ranges on page 662.
Identifier Meaning
udp UDP packet
tcp TCP packet
ftp FTP packets regardless of port number
icmp ICMP packet
decimal number decimal number matched to protocol type in IP header
To Next Page
Loading...
